Skip to main content
This website uses cookies. By continuing to use this website you are agreeing to our use of cookies as described in our privacy policy.
Bulletin

Bill 64 – Chief Privacy Officer will be mandatory in private organizations

Fasken
Reading Time 4 minute read
Subscribe

Bulletin #5 | Special Series - Bill 64 & Act to modernize legislative provisions as regards the protection of personal information

Bill 64 seems bold given its numerous provisions that indicate a clear intention to focus on the principle of accountability. While the current Act respecting the protection of personal information in the private sector ("Quebec Private Sector Act")[1] never addresses the principle of accountability or transparency (note that the terms "accountable," "accountability" and "transparency" do not appear in any provision in the current Act), Bill 64 provides a major upgrade by instantly adding a whole section based on the accountability principle.[2]

This section on accountability provides numerous new obligations such as the obligation to: implement governance policies and practices for the protection of personal information, establish a framework for the keeping and destruction of the information, establish a process for dealing with complaints, assess privacy-related factors, report security incidents in certain circumstances and keep a register of confidentiality incidents. All of which will of course be under the control, supervision and responsibility of this new position that will have to be created in all businesses: the person in charge of the protection of personal information, also known as a "privacy officer."

How will this actually affect Quebec businesses?

Until now, contrary to what is currently in force in British Columbia,[3] Alberta[4] and under the federal PIPEDA,[5] the Quebec Private Sector Act does not require the appointment of a privacy officer.[6]

As such, Bill 64 corrects this disparity in section 95 by expressly providing not only that any person carrying on an enterprise is responsible for protecting the personal information held by the person, but also goes further by requiring (as is currently in effect in the Act respecting access[7]) that the person exercising the highest authority shall exercise the function of the person in charge of the protection of personal information.

All or part of this function may be delegated in writing to a member of the personnel. Moreover, the title and contact information of the privacy officer must be published on the company's website or if the company does not have a website, this information must be made available by any other appropriate means.

What will the privacy officer have to do?

The privacy officer will have to ensure that the business complies with the applicable principles under the Quebec Private Sector Act regarding the protection of personal information. Moreover, the following are a few examples of the duties that the privacy officer must oversee:

  • establish and implement policies and practices governing the enterprise and the protection of personal information;
  • ensure the implementation of policies/practices in respect of keeping and destroying personal information;
  • define the roles and responsibilities of the members of its personnel;
  • establish a process for handling complaints regarding the protection of personal information;
  • assess the privacy-related factors of any information system project or electronic service delivery project;
  • at any stage of such a project, suggest personal information protection measures as well as the framework of such measures as provided under the Quebec Private Sector Act;
  • be involved in managing a confidentiality incident, such as by establishing policies in this regard, such as a security incident response plan.

The tone has been set: Bill 64 aims to greatly expand the accountability principle and to combine it with the power to impose heavy monetary penalties against a business in breach. Moreover, the position of privacy officer will be automatically assigned to the person with the highest authority in the enterprise. This person must then duly carry out the related duties or delegate this task to a member of the personnel, who must clearly have the necessary skills and abilities to be able to properly carry out the duties, given the serious consequences to the business's reputation and the monetary penalties that could be imposed against the business in the event of a breach.

 

BILL 64 RESOURCE CENTER Visit our Bill 64 Resource Center for all the information you need to help you to cope with the changes that might be made to the legislation.

FASKEN INSTITUTE - Register now to our training that will shed light on the main changes and impacts to be expected in the management of your businesses.

DISTRIBUTION LIST If you do not want to miss our next bulletins and any other relevant information on this subject, sign up now on our distribution list to receive all communications related to this new Bill. 



[1] Chapter P-39.1
[2] Bill 64, s 95.
[3] See the book by Mtres Antoine Guilmain and Éloïse Gratton, The Protection of Personal Information in the Private Sector in Québec. Looking Back and Thinking Forward , Éditions Yvon Blais,Thomson Reuters Canada, 2020, pp. 26-31.
[4] Id.
[5] Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
[6] Comparative table on privacy laws drafted by Mtres Antoine Guilmain, Antoine Aylwin and Karl Delwaide.
[7] Act respecting access to documents held by public bodies and the protection of personal information, CQLR, c A-2.1.

    Subscribe

    Receive email updates from our team

    Subscribe